Last active
November 13, 2019 08:23
-
-
Save jimsmith/ad6890dcdaf09fc4818a to your computer and use it in GitHub Desktop.
aws-cross-over-policies-snippet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| e.g Scenario AWS Dev Account: 111111111111 (ec2 instance) to access s3 service in PROD Account: 222222222222 | |
| This is account that has ec2 instance: DEV | |
| IAM User: test | |
| Inline policy: | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ], | |
| "Resource": "arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole" | |
| } | |
| ] | |
| } | |
| Prod AWS Account -> Roles: PROD-EC2-CrossAccountRole | |
| Role ARN arn:aws:iam::111111111111:role/PROD-EC2-CrossAccountRole | |
| Instance Profile ARN(s): arn:aws:iam::111111111111:instance-profile/PROD-EC2-CrossAccountRole | |
| Trust Relationships Policy | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::222222222222:root" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "Bool": { | |
| "aws:MultiFactorAuthPresent": false | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| Policy attached to above Role: | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:ListBucket", | |
| "s3:GetObjectAcl", | |
| "s3:GetBucketAcl", | |
| "s3:GetBucketLocation", | |
| "s3:ListBucketMultipartUploads" | |
| ], | |
| "Resource": "arn:aws:s3:::name-of-my-bucket", | |
| "Condition": {} | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:AbortMultipartUpload", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetObject", | |
| "s3:GetObjectAcl", | |
| "s3:GetBucketAcl", | |
| "s3:GetObjectVersion", | |
| "s3:GetObjectVersionAcl", | |
| "s3:PutObject", | |
| "s3:PutObjectAcl", | |
| "s3:PutObjectAclVersion" | |
| ], | |
| "Resource": "arn:aws:s3:::name-of-my-bucket/*", | |
| "Condition": {} | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": "s3:ListAllMyBuckets", | |
| "Resource": "*", | |
| "Condition": {} | |
| } | |
| ] | |
| } | |
| AWS CLI used to see if works | |
| aws sts assume-role --role-arn "arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole" --role-session-name "test" | |
| A client error (AccessDenied) occurred when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/test is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole | |
| From rdark in ##AWS IRC after removing MFA from trust policy :) | |
| { | |
| "AssumedRoleUser": { | |
| "AssumedRoleId": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME:test", | |
| "Arn": "arn:aws:sts::222222222222:assumed-role/PROD-EC2-CrossAccountRole/test" | |
| }, | |
| "Credentials": { | |
| "SecretAccessKey": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME", | |
| "SessionToken": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME==", | |
| "Expiration": "2015-06-29T16:57:19Z", | |
| "AccessKeyId": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment